Security Bits – 04 August 2024

Feedback & Followups

• Apple Intelligence:
  • Apple Will “Share the Results of AI Tests” With Public and Govt — www.macobserver.com/…
  • Related: Apple iOS 18.1 Beta previews Apple Intelligence for the first time — www.bleepingcomputer.com/…
  • Related: 🇪🇺 🇨🇳 Apple in talks with the EU and China for Apple Intelligence rollout — www.cultofmac.com/…

Deep Dive 1 — CloudStrike Follow-up

Now that the dust has settled a little, some more details have emerged about what exactly happened last month when a CloudStrike update killed thousands of Windows computers across big businesses around the world and triggered global chaos.

The key facts we now know:

1. The error was caused by a relatively new parsing module introduced in March, and the update was to a data collection template being processed by this parser — this means the error was in sensor code, not protection code.
2. CloudStrike are changing their deployment practices to include tiered rollouts so problems can be nipped in the bud before they get universally deployed.
3. Users did have the option to choose to stay a specific number of updates behind, but for cybersecurity reasons, most chose not to remain un-patched for any amount of time.

Bart’s key observation: sensor updates should never have been pushed out as aggressively as protection rules. CrowdStrike need to break their update settings into two separate update types — one for protection rule updates, and one for sensor rule updates. If I were a customer I would want to get the very latest protections, but I would want to stay one or two updates behind on sensor rules to half my risk of a bad update bricking everything!

A Deeper Technical Analysis (from Bart)

My initial take was that Cloud Strike had no choice but to run as a kernel drive, and that Macs offer no more protection from a bug in a security tool than Windows does. My focus was on the fact that enforced digital signatures only guarantee accountability — so we always know which developer to blame when a third party crashes the macOS kernel. That’s true, but my understanding of the state of play with kernel code on the Mac was one important development behind.

I now know that security tools running on modern versions of macOS & Linux using the latest APIs cannot take down the entire OS like CrowdStrike did on Windows.

Why? Because Apple & the open source community have provided cybersecurity companies with new APIs that let cybersecurity software hook all security-related kernel events without extending the kernel. In Apple’s universe that’s a dedicated type of System Extension for Endpoint Security, and in the open source universe that’s a very powerful technology called eBPF.

Cybersecurity companies are not running in the Kernel on Windows because they want to, but because they have to. No one is better aware of the dangers of kernel code than cybersecurity companies, so they don’t need to be sold on the advantages of getting their code out of the kernel and into user-land where their bugs become app-crashing rather than system-crashing.

This is why CrowdStrike does not use an old-fashioned kernel extension (KEXT) on the Mac, and why the cybersecurity industry is busy migrating their Linux products to eBPF.

The real lesson here should be that Microsoft urgently need to add a safe alternative to kernel drivers like Apple’s Endpoint Security System Extensions API, or, ideally incorporate support for the open eBPF specification into Windows.

Links

• CrowdStrike Explains Friday Incident Crashing Millions of Windows Devices — thehackernews.com/…
• Could our Macs be CrowdStruck? – The Eclectic Light Company — eclecticlight.co/…
• What Should Apple Users Take Away from the CrowdStrike Debacle? — tidbits.com/…
• 🎦 CrowdStrike IT Outage Explained by a Windows Developer — youtube.com/…
• eBPF Documentation: What is eBPF? An Introduction and Deep Dive into the eBPF Technology — ebpf.io/…
• Apple Developer Documentation: System Extensions — developer.apple.com/… & Endpoint Security — developer.apple.com/…

Deep Dive 2 — Google Changes Course on 3rd-Party Cookies

TL;DR: Google has abandoned its plans to end support for 3rd-party cookies in early 2025. They will keep developing their ‘Privacy Sandbox’ technologies in the hope the advertising industry switches to them and away from 3rd-party cookies, and in the near term, add some kind of user consent screen that they claim will ask users for informed consent to being tracked via 3rd-part cookies.

The summary above covers the facts, so the remainder of this segment is opinion by Bart.

For context, both Apple & Mozilla have disabled 3rd-party cookies for many years now, so this is not a technical problem. Instead, this is a political problem caused by the combination of Google’s inherent conflict of interest and their dominant market position.

Google currently holds about 65% of the browser market share, with Safari a distant second with less than 20% and no other browser crossing the 3% threshold. Having close to 3 times the market share of your nearest competitor would probably be enough to get you some regulatory scrutiny in any case, but Google are also big players in online advertising, and they sell ads based on tracking users. This means that any changes they make in how their competitors can use browsers to track people immediately result in claims of anti-competitive behaviour.

While I thought some of Google’s early attempted cookie replacements trialed under the ‘Privacy Sandbox’ branding were ill-advised and not actually good for users, I think their latest offering, the Topics API, actually strikes a good balance between privacy and ad targeting. In fact, were this same technology not coming from Google, such a clearly compromised player, but from a standards body like the W3C, then I think it would stand a good chance of being adopted.

As I understand it, Google have committed to not preferencing their own services in Chrome, so in theory, had they gone ahead and removed 3rd-party cookies, they would have stopped using them for their own ad products too. However, from the POV of their competitors, would it be reasonable to trust Google to develop and manage a standard they depend on for their primary income source fairly? Surely Google would be incentivised to weight the feature set to their benefit, giving higher priority to features they want, and lower priorities to features requested by their competitors? As I like to say, incentives are like roads, you don’t have to follow them, but it sure is easier when you do, and in reality, most people stay on the road!

Finally, based on my reading of the past few years of tech news, it seems clear regulators are being heavily lobbied by the ad industry who are extremely reluctant to change their ways. The like the privacy-invading status quo, and will do anything to keep things as they are for as long as possible. They failed to stop Apple’s App Tracking Transparency because while Safari has a big market share, Apple does not have the same clear conflict of interest Google does. But convincing EU and UK regulators that a big evil US tech giant is destroying local ad companies with their proposed tracking changes proved to be doable. The last delay was announced in response to on-going negotiations with UK regulators, and their concern was not user privacy, but the future of the ad industry. It seems obvious to me the regulators have been swayed by ad companies, and pushed into perverting anti-trust laws intended to protect consumers into a tool for perpetuating user-hostile business practices.

I can only see one user-friendly path forward — Google have to step back from taking any kind of lead, and hand the privacy sandbox over to a genuinely independent industry group. They need to contribute, but it needs to be transparently obvious that they are not in the driving seat, otherwise, the ad industry will always succeed in abusing competition laws to block privacy protections.

Links

• Google rolls back decision to kill third-party cookies in Chrome — www.bleepingcomputer.com/…
• Google halts its 4-plus-year plan to turn off tracking cookies by default in Chrome — arstechnica.com
• 🎧 The Checklist by SecureMac: Checklist 385 – Leaving Cookies on the Table — overcast.fm/…

❗ Action Alerts

• Apple Patches Everything. July 2024 Edition — isc.sans.edu/… (Safari 17.5, iOS & iPadOS 17.5, iOS & iPadOS 16.7.8, macOS Sonoma 14.5, macOS Ventura 13.6.7, macOS Monterey 12.7.5, watchOS 10.6, tvOS 17.5)
• A Reminder to PC users to keep an eye out for firmware updates, especially for your motherboard: PKfail Secure Boot bypass lets attackers install UEFI malware — www.bleepingcomputer.com/…
  • Multiple vendors shipped motherboards with a sample security key marked “do not ship” and “do not trust”, and the matching private key has leaked
  • Affected brands include Acer, Dell, Fujitsu, Gigabyte (most affected), HP, Intel, Lenovo, Supermicro (Full list of devices)

Notable News

• More privacy problems for social media:
  • 🇺🇸 US DOJ suing TikTok for COPPA breaches: US sues TikTok for violating children privacy protection laws — www.bleepingcomputer.com/… (Paraphrasing TikTok’s defence “we don’t do that anymore”)
  • 🇺🇸 Meta settles with Texas over the controversial face recognition feature it removed in 2021: Meta Settles for $1.4 Billion with Texas Over Illegal Biometric Data Collection — thehackernews.com/…
• Two nice cybersecurity improvements for Chrome:
  • Chrome adds better warnings for downloaded password-protected archives, and offers an option to give the password and have Google scan the file — www.bleepingcomputer.com/…
  • Google Chrome adds app-bound encryption to block infostealer malware — www.bleepingcomputer.com/… (Windows only, giving similar protections to KeyChain on Apple’s platforms and the various credential managers on Linux)
• 🇫🇷 Controversially, French authorities effectively hacked infected devices in France to clean them up in advance of the Olympics — French police push PlugX malware self-destruct payload to clean PCs — www.bleepingcomputer.com/…

Interesting Insights

• 🎦 An interesting conversation with two Apple privacy leads: Talking Privacy with Apple: Are Your Secrets Safe? — youtube.com/… (Apple’s User Privacy Engineering Manager Katie Skinner & Apple’s Privacy Product Marketing Lead Sandy Parakilas)

Palate Cleansers

• From Bart: An excellent episode from one of my favourite low-volume high-quality podcasts with an ever so slight Apple bias: Twenty Thousand Hertz: The Sound of Apple — overcast.fm/…
• From Allison via Allister — follow Jason Eckert on Mastodon for a constant stream of nerd jokes.

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.
🎦	A link to video content.